from the that-makes-it-better? dept

Ah, Diebold. One of the "big three" e-voting providers out there, its name was the first one that got associated with the problems of e-voting machines, despite problems being found across the board in players in that space. I could never understand why the company continued to fight and deny problems with its machines after so much evidence was presented against them. The smart move would have been to admit that the machines had problems, work with security experts to solve them, and come out with better, safer machines. But that's not what happened. Instead, it stonewalled, denied problems, mocked those who exposed security flaws and kept pushing out questionable machines. Eventually, the stories got so bad, that Diebold realized it was having a seriously negative impact on its other lines of business (including ATMs), so it renamed the e-voting division "Premier Election Solutions" (as if people would forget) and went about trying to sell the thing off -- though, for years it couldn't find any takers.

It took a while, but Diebold has finally found a buyer. ES&S has purchased Diebold's e-voting business for a mere $5 million plus some outstanding revenue. In classic Diebold fashion, the company has announced that it "would not be answering questions about the sale" -- because that's how you go about rebuilding trust.

Meanwhile, it's not like ES&S is any better. It, too, has had massive problems with its e-voting machines, while the company has a history of stonewalling attempts by gov't officials to review their code. Oh, and there's this: company memos showed that the company knew about some of the problems with its voting machines that were used in elections. And the most fun of all? When we questioned why e-voting companies didn't allow independent security researchers to examine machines, an ES&S employee showed up in our comments to call us all idiots.

Now, with the combined ES&S/Diebold/Premier, a ridiculous large percentage of the country's e-voting machines now belong to one company, with an amazingly long family tree of faulty machines and a history of attacking anyone who points out those flaws.

Re: Here's a thought.

The problem is in design, what you want it some end to end voter verifiable voting system. As far as software is concerned, who knows what software the machine is running, you can claim it's open source but when I go and vote on that machine I have no idea if someone replaced the open source software with some other software that looks like the open source software. You should read about some of the cryptographic voting systems that try to solve many of the problems but I'm still reading and trying to understand them. Supposedly Neff’s Scheme

Here's the money quote: "So when designing the security behind the software, one must assume an attacker with a $100M budget."

Schneier wrote that in 2004, so adjust for not only inflation but for changing political conditions. Consider for example that the health care industry is currently spending approximately $1.4M per DAY on lobbying efforts, which means that they're spending roughly $500M per year. So clearly, influencing the direction of politics (of which a portion is affecting the outcomes of elections) has monetary value to some entities, and some of them possess the cash to play the game.

Given that existing commercial voting systems are routinely shown to have appalling security flaws at all levels (design, implementation, etc.) I doubt that it would even require anything approaching that kind of budget to implement a viable plan to compromise them en masse. And of course there's always the old reliable standby: "Here's a suitcase with $10M", or its modern equivalent, "Here's a cushy do-nothing job with full benefits and stock options and a nice office and no responsibility other than to make sure you're not in the same room with a decision. Oh, and a golden parachute you can deploy if things start getting dicey".

I found the "idiots" comment from the apparent ES&S employee to be deeply troubling. (I hadn't noticed it

"Confidence tricksters" got that name because their schemes asked people to trust them. To me, this ES&S employee was insisting that we had to trust ES&S, but he was being very defensive about it. While it's dangerous to try to guess emotion from a forum post, I wonder if that wording was a sign of fear.

Re: Re: Here's a thought.

I guess that's a more concrete image that the software architects should have in mind when designing with security in mind.
I always thought that image should be that of a highly motivated "black hat" trying to break the security. Details of the motivation isn't relevant.

But the question still stands. If you have the hardware such as what was just sold by Diebold/Premier, can you put secure software on it?

As suggested by the other AC, you'll at least need some way of verifying that the software in your voting machine matches your source code-- and not have the code that a black hat had sneaked onto the machine.

Re: Re: Re: Here's a thought.

Your thoughts re open code and re verifying that the installed code matches the source are on-target, and are of course just the sort of due diligence that should be happening.

However...even if we presume those steps and all the details surrounding them are designed, implemented, and audited to whatever lofty standards we would insist on: it's not enough.

It's not enough because -- with the kind of budget that Schneier posits (see my posting a few articles up) -- attackers can go after the hardware. As in "custom chips". With that kind of money available, that's a threat that you have to take seriously and design/build against...and that's not going to happen with the hardware that those systems currently use. It may not happen with any hardware available at reasonable cost.

The best solution with this is to drop the machines entirely. Other, more civilized countries use technology like "pencil and paper" accompanied with long-tested procedures to provide a combination that's highly resistant to individual fraud and even more so to large-scale fraud. We should use this as well, and be patient enough to wait a few days for results.

Re: Re: Re: Re: Here's a thought.

You might be right on the pencil/paper method. But bear with me with this line of thinking.

When you say "go after the hardware" do you mean gain possession of the voting machine, alter the hardware and/or software and put it back before they extract the voting results?

I'm asking this because the pencil/paper method has a known method of attack which involves the bad guys gaining possession of the ballot box, altering the contents of paper votes, and put it back before they extract the voting results from the ballot box.

Here I'll ask if it is reasonable that we hold the electronic voting to the same standard as pencil/paper voting.

This means, of course, that we train the poll workers to keep an eye on the voting machine the same way they would do for a ballot box full of votes. It is not acceptable if they don't.

It is also not acceptable if a voter in the voter booth can compromise the voting machine. Or worse, be able to compromise the votes in the other machines in the precinct or county.

Hardware -- and pencil/paper

What I mean is this: we all presume (and correctly for the most part) that if we verify the source code, and if we verify the code->compiler->assembler->etc. pipeline, that the code when executed will do what we think it'll do.

But what if it doesn't? What if the hardware executing the code has a bug? What if that bug is deliberate? What if that bug is designed so that it only activates when the current time-of-day is (let's say) between 8 AM and 8 PM on an election day (whose dates are known very far in advance)? Or what if the bug only activates if candidates for party A are more than .5% ahead but no more than .75% ahead of party B? (I trust it's obvious why such a range is desirable.) Or what if...

The point being that it's not necessary to gain physical access to the machines and swap hardware. It can placed there well in advance and left there, because prior and subsequent testing of the unit probably won't reveal the problem. Sufficiently-crafty thinking can reduce the probability of detection while increasing the probability that the bug will have an impact on a closely-contested election. (Those that are outside that range aren't as susceptible to manipulation.)

With a $100M+ budget, or more realistically today, a $500M+ budget, all of this is easily possible: it's a realistic threat. So it's got to be defended against, and the vendors to date are not even in the same space-time continuum with this kind of thinking. It Will Not Happen, and they will continue to deny the issues, obfuscate, lie, etc. because of course it's profitable to do so.

As to attacks against pencil/paper systems: these are (a) well-known and well-understood which means that (b) there are any number of equally well-known and well-understood defenses against them which are (c) low-tech and (d) can be carried out by relatively untrained personnel. Moreover (e) carrying out large-scale fraud via attacks on pencil-and-paper systems is (f) difficult (g) unwieldly and (h) necessarily requires a substantial number of people, which increases the probability that someone will screw up, someone will blab, someone will be caught, someone will confess.

It's not that pencil-and-paper system are impervious: they're not. But they are MUCH harder to game, even with a $500M budget, and those trying to do so incur a MUCH higher risk of detection.

Re: Voting Machines - Open Code

But then a voter has to trust someone else to inspect every single machine properly and they have to trust the code wasn't changed before or after inspection. Plus, the code maybe open source but how do you know it's the open source code running and not slightly modified software unless a "trustworthy" person compiles all the code and the operating system on every computer. Your solution is simply not practical. There are better solutions.

Re: Re: Here's a thought.

"Given that existing commercial voting systems are routinely shown to have appalling security flaws at all levels (design, implementation, etc.) I doubt that it would even require anything approaching that kind of budget to implement a viable plan to compromise them en masse."

A solution is possible, one that provably shows that your vote counted though it's not fullproof against vote flooding.

One solution is to have all the people who voted in each city listed by first and last name on a website. I go to a website, select my city, and all the people who voted are listed there.

Then, when I vote I am first given a number. I type in my vote after being given that number and write it down. I go to a website where everyone's number is listed, I make sure my vote is there right next to my number. Anyone and their mother can tally up the votes and everyone independently checks that their vote counted. It doesn't matter what software is on the computer, open source or closed source, etc... If the numbers don't add up you know something is wrong, there is NO getting around that. Of course there is the potential of vote flooding, making up false names in a city and putting votes. Perhaps the address of every voter can be listed as well, or perhaps the block, right next to their name so that people can say, "hey, no one by that name lives there." It would be risky trying to attempt a massive voter fraud. Also if they put in a vote for a dead person their relatives will see it on the website and they can blog about it and protest. Or if they say grandma voted and she didn't people granddaughter will see grandmas name on the list and ask grandma, "you didn't vote that day, you were sick" and tada, blogs, protests, blah blah blah, especially if this sort of thing happens on a massive scale.

The problem with this approach is that it leaves the possibility for coercion or selling your vote to whoever would pay you to vote for whomever they want since you can prove who you voted for to someone else. What you want is a system where you can prove to yourself who you voted for and that it tallied up in the count but you can't prove it to anyone else no matter what. In that regard, I have given you links where people have tried to solve the problem, you should read about them before assuming anything. It's not about open sourceness, it's about developing an end to end user verifiable voter system where each user can verify individually that their vote counted (no matter what software is being run, open source, closed source, hacked, with viruses, etc...) and was included in the tally of votes yet it disallows the user to be able to prove to anyone else who they voted for.

Re: Re: Re: Here's a thought.

Now one could argue that listing an address of each person is not a good idea for privacy reasons but even so, if the amount of people who voted in a city is twice as much as the amount of qualified and/or registered voters (or the population) in that city people would know something is wrong. One could attempt a distributed flooding attack where they add a few bogus names to each city but again, if the number of voters shown on the list nationwide is obviously greater than the amount of registered voters and/or qualified voters (or the population) people would know something is wrong. These kinds of systems open the possibility for bloggers and other individual investigators to investigate if someone by some name really lives in some city or was that name just randomly made up. A massive scale flood attack would probably be very hard to get away with being that everyone and their mother would be putting billions of dollars worth of time investigating the issue and making sure that voter fraud did not occur.

Re: Re: Here's a thought.

"Here's the money quote: "So when designing the security behind the software, one must assume an attacker with a $100M budget.""

With a well implemented end to end user verifiable voter system they're going to need A LOT MORE than $100M to cheat the system being that everyone and their mother would be putting billions upon BILLIONS of dollars worth of time and effort (in real GDP) investigating the issue to ensure that voter fraud did not occur. The fact that I can check on a website to ensure that my vote counted alone is $ worth of time and effort, everyone voting would do the same thing = $$$ worth of time and effort plus bloggers and everyone else investigating for vote flooding attacks = $$$$$$ worth of time and effort. A mass scale fraud would likely make people suspicious and they would post it on blogs along with the evidence that everyone can independently verify and you would have blogs, protests, huge outcry's and a disaster.

Re: Re: Re: Here's a thought.

Not to mention the hundreds of billions of dollars worth of time and effort that's going to go into protests and rebellion of voter fraud did occur. With a well implemented end to end user verifiable voting system I can put in my vote in a computer, go home and ensure that my vote counted on the list that everyone else's vote is also put on and I can tally up all the votes myself along with my vote (of course I'll use a computer program I wrote to do it for me). I can INDEPENDENTLY verify my vote counted and was tallied up with everyone elses vote and so can everyone else. I don't care what software was used to put my vote on the Internet with everyone elses; it can be hacked, it can be closed source, open source, it can have viruses, it can utilize mysterious magical powers from some obscure magic fairy dust found on the moon somewhere to get the job done, makes no difference to me (as long as the job gets done) because I KNOW (and everyone else KNOWS) that if my vote does not appear on that website along with everyone elses so I can add it up with everyone elses, the system is broken. If the numbers don't add up then everyone knows the system is broken. We just care about the output and it BETTER make sense in terms of what we inputted into the system, I don't care, I don't care what software or hardware was used to input it. All I care about is that the output makes sense in terms of the input. And the fact that everyone will put billions upon BILLIONS of dollars worth of time and effort to ensure the output DOES make sense in terms of the input $100M begins to quickly look like a sad joke. Voter fraud on a large scale would lead to MANY MANY BILLIONS of dollars worth of time and effort into protests and rebellion. That time and effort I put into it is worth money. With everyone putting time and effort into verifying the system's integrity that adds up to a lot of money into ensuring the system works.

Remember, when it comes to voting systems what you want to focus on is the ends, don't worry so much about what happens in the middle because that's a black box to us anyways, it can utilize black magic for all I care, as long as what happens at the ends makes sense and the output makes sense in terms of the input. If the numbers on the output don't add up then we know something is wrong and we want to put our efforts into adopting a system where the output verifies to us that our inputted votes properly counted and was tallied.